naval postgraduate school monterey, california · rinald wayne vughn -avail and ior dist special...
TRANSCRIPT
NAVAL POSTGRADUATE SCHOOLMonterey, California
AD-A257 449
DTIC,S ELECTE
THESIS .NOV23E
COMPUTER SECURITY CONCEPTS and ISSUESin the INFORMATION TECHNOLOGYMANAGEMENT (370) CURRICULUM
by
Reginald Wayne Vaughn
September 1992
Thesis Co-Advisor: Dr. Tung X. Bui
Thesis Co-Advisor: Roger Stemp
Approved for public release; distribution is unlimited.
92-299o6
UNCLASSIFIEDSECURITY CLASSIFICATION OF THIS PAGE
REPORT DOCUMENTATION PAGE1a. REPORT SECURITY CLASSIFICATION UNCLASSIFIED lb. RESTRICTIVE MARKINGS
2a SECURITY CLASSIFICATION AUTHORITY 3. DISTRIBUTIONWAVAILABILITY OF REPORT2b. DECLAS,1FICATIONIUOWNGRADING SCHEDULE Approved for public release;
distribution is unlimited
4. PERFORMING ORGANIZATION REPORT NUMBER(S) 5. MONITORING ORGANIZATION REPORT NUMBER(S)
TO" NAME OF.PEREORMING ORGANIZATION 6b. OFFICE SYMBOL 7a. NAME OF NITORING ORGANIZATION
Computer tecnology Dept. (itapplicable) Naval Postgraduate SchoolNaval Postgraduate School 376c. ADDRESS (City, State. and ZIP Code) 7b. ADDRESS (City, State, and ZIP Code)
Monterey, CA 93943-5000 Monterey, CA 93943-50
8a. NAME OF FUNDING/SPONSORING 8b. OFFICE SYMBOL 9. PROCUREMENT INSTRUMENT IDENTIFICATION NUMBERORGANIZATION (if applicable)
8c. ADDRESS (City, State, and ZIP Code) 10. SOURCE OF FUNDING NUMBERSPROGRAM PROJECT TASK WORK UNITELEMENT NO. NO. NO. ACCESSION NO.
11. TITLE (Include Security Classification)
COMPUTER SECURITY CONCEPTS and ISSUES in the INFORMATION TECHNOLOGY MANAGEMENT
ýha P I L A .U TI, •(augn, eginal¶ wayneaster T s b.EOERED 14. DATE OF REPORT (Year, A#Onth. Day) 1 04
M .ster .e'si s I "From 09/91 To 09/92 September 199216. SUPPLMENTARY NOTATIOThe views expressed in this thesis are those of the author and do not reflect the officialpolicy or position of the Department of Defense or the United States Government
17. COSATI CODES 18. SUBJECT TERMS (Continue on reverse it necessary and identify by block number)
FIELD GROUP SUB-GROUP
19. ABSTRACT (Continue on reverse if necessary and identify by block number)DoD has become increasingly dependent upon storing its sensitive information in electronic form and has a deep
concern for the integrity and privacy of this valuable information. In the recent aftermath of numerous electronic
break-ins, the DoD continues to express anxiety over technically weak system administrators' inability to protect
sensitive electronic information.
The solution to minimizing these electronic intrusions and bolstering computer security in DoD is to educate
military officers and federal civilians in the methods of computer security. This can be accomplished by integrating
concepts and problem solving techniques related to computer security into the Information Technology Management
(370) Curriculum at the Naval Postgraduate School.
20. DISTRIBUTION/AVAILABILITY OF ABSTRAGT 21. ABSTRACT SECURITY CLASSIFICATION[3UNCLASSIFIED/UNLIMITED []SAME AS RPT. [] DTIC USERS UNCLASSIFIED
ft AM PN E NDVJDAp 22b TELgP ONElInclude Area Code) 11I Sang1•I ungk A.Tlui aria Koger Stemp
DO FORM 1473, 84 MAR 83 APR edition may be used until exhausted SECURITY CLASSIFICATION OF THIS PAGEAll other editions are obsolete UNCLASSIFIED
i
UNCLASSIFIEDSECURITY CLASSFICATION OF THiS PAGE
[11] Continued: (370) Curriculum
V
S
SECURITY CLASSIFICATION OF THIS PAGE
UNCLASSUFIEDii
Approved for public release; distribution is unlimited
COMPUTER SECURITY CONCEPTS and ISSUES in the INFORMATIONTECHNOLOGY MANAGEMENT (370) CURRICULUM
byReginald Wayne Vaughn
Lieutenant, United States NavyB.S., Lamar University, 1983
Submitted in partial fulfillment of therequirements for the degree of
MASTER OF SCIENCE IN INFORMATION SYSTEMS
Accesion For
from the NTIS CRA&MDTIC TAB
NAVAL POSTGRADUATE SCHOOL UnannouncedSeptember 1992 Justificaton.......................
By .................
Author: Distribution I
9 ca wgd." )_e% 2,,• i Availability CodesRinald Wayne Vughn - Avail and Ior
Dist Special
Approved By: _ __ _-/Dr.Tung X. Bul, Co-Advisor
RoerSen -Advisor It
)2ývid R. Whip~ple, Chairman,Department of Administrative Sciences
iii
ABSTRACT
DoD has become increasingly dependent upon storing its sensitive informa-
tion in electronic form and has a deep concern for the integrity and privacy of
this valuable information. In the recent aftermath of numerous electronic
break-ins, the DoD continues to express anxiety over technically weak system
administrators' inability to protect sensitive electronic information.
The solution to minimizing these electronic intrusions and bolstering
computer security in DoD is to educate military officers and federal civilians
in the methods of computer security. This can be accomplished by integrating
concepts and problem solving techniques related to computer security into the
Information Technology Management (370) Curriculum at the Naval
Postgraduate School.
iv
TABLE OF CONTENTS
I. INTRODUCTION ................................................. 1
A. RATIONALE AND PURPOSE OF THESIS ........................ 1
B. SUMMARY OF CONTENTS ..................................... 3
HI. COMPUTER SECURITY AND DOD ................................. 5
A. WHAT IS COMPUTER SECURITY? .............................. 5
B. DOD'S INTEREST IN COMPUTER SECURITY ..................... 6
1. 1989 U.S. General Accounting Office Report ................... 6
2. 1991 U.S. General Accounting Office Report .................... 7
3. Computer Security Climate ................................... 9
C. THE NEED FOR COMPUTER SECURITY PROFESSIONALS ........ 9
EI9. CULTIVATING COMPUTER SECURITY IN DOD ..................... 10
A. SECURITY RELATED LEGISLATION .......................... 10
1. NTISSP 200 ............................................. 10
2. Computer Security Act of 1987 .............................. 13
B. FORMAL COMPUTER SECURITY EDUCATION ................. 13
IV. ANALYTICAL METHODS ........................................ 16
A. LITERATURE REVIEW ....................................... 16
B. LOGICAL COURSE GROUPINGS ............................... 17
C. INTERVIEWS WITH NPS FACULTY ............................ 18
D. INTERVIEWS WITH DOD ADP MANAGERS .................... 18
E. COURSE ANALYSES ......................................... 19
V. SUMMARY OF FINDINGS ........................................ 20
VI. RECOMMENDATIONS ........................................... 23
VII. CONCLUSION ................................................ 30
APPENDIX A Information Systems Courses ............................ 31
APPENDIX B Computer Science Courses .............................. 52
V
APPENDIX C Electro-Optical and Communication Courses ................ 73
LIST OF REFERENCES ................................................ 94
INITIAL DISTRIBUTION LIST .......................................... 96
vi
L INTRODUCTION
A. RATIONALE AND PURPOSE OF THESIS
In 1986, Cliff Stoll, an astronomer-turned-system administrator at
Lawrence Berkeley Laboratory, attracted international attention by tracing a
75 cent computer system accounting error to a West German hacker stealing
military documents and selling them to the KGB. Although the hacker was not
a brilliant programmer, he was persistent. By exploiting security deficiencies
in operating systems, lax password security, and poor system management,
the hacker managed to attack over 450 computers attached to MILNET,
successfully penetrating 30. The hacker persistently attacked computers
located at military bases, defense contractors, and universities, searching files
for keywords like KH- 11, SDI, and NUCLEAR. [Ref. 1]
On the evening of November 2, 1988, Robert T. Morris, a Cornell
graduate student unleashed a worm on the Internet. Within hours
approximately 3,000 Sun and VAX workstations running variants of the
Berkeley Standard Distribution 4.3 UNIX operating system fell victim to the
worm. Although the worm, innocuous in the sense that it did not destroy files
or alter information, did however propagate uncontrollably, overwhelming
system resources. [Ref. 2]
Between April 1990 and May 1991, foreign hackers penetrated 34
Department of Defense (DoD) computers including one system that directly
supported Operation Desert Shield / Storm. The hackers gained access to
sensitive military computers by exploiting well known flaws in operating
systems, weaknesses in the Trivial File Transfer Protocol (TFTP) and
accounts with easily guessed passwords. [Ref. 3]
1
DoD has become increasingly dependent upon storing its "sensitive
information" in electronic form and naturally there is a deep concern for the
integrity and privacy of this valuable information. In the aftermath of
numerous electronic intrusions, many questions have been raised regarding
the lack of computer security and the abundance of computer system
vulnerabilities.
One predominate factor linked to these "electronic break-ins" is
system administrators who are not formally educated in computer
security. Although highly publicized stories of "electronic break-ins",
worms, and viruses have made some system administrators more security
conscious, awareness of the problem is not enough. [Ref. 4]
The phenomenon of widespread electronic intrusion is veryrecent. It is made possible by the proliferation of personalcomputers and their connection to electronic networks. Althoughtechnically sophisticated, intrusions are always the acts of humanbeings. Intrusions can be controlled by a combination oftechnical safeguards -- a sort of network immune system -- andhygienic procedures for using computers. But they cannot beeliminated.
It would seem that some straightforward technological fixeswould greatly reduce future threats. But technological fixes arenot the final answer; they are valid only until someone launchesa new kind of attack. [Ref. 5]
The solution to minimizing these electronic intrusions and bolstering
computer security in DoD is to educate military officers and federal civilians
in the methods of computer security. This can be accomplished by integrating
concepts and problem solving techniques related to computer security into the
Information Technology Management (370) Curriculum at the Naval
Postgraduate School.
2
The following describes DoD's anxiety about system administrators'
inability to safeguard electronic information, and proposes several cost
efficient avenues to enhance the training of computer security in the
Information Technology Management (370) Curriculum. This thesis will also
serve as a computer security reference vehicle to facilitate faculty members in
modifying their courses to encompass relevant security issues.
B. SUMMARY OF CONTENTS
This thesis contains seven chapters and three appendices, the following is
a summary of the contents:
Chapter I Introduction acquaints the reader with three highly
publicized electronic break-ins and highlights DoD's anxiety about
technically weak system administrators' inability to protect sensitive
electronic information.
Chapter II Computer Security and DoD briefly describes what
computer security is and what it entails. Introduces two U.S. Government
Accounting Office (GAO) perceptions of system administrators, the current
"local" computer security climate, and the need for computer security
professionals.
Chapter HI Cultivating Computer Security in DoD describes laws,
acts, and technical publications that directly impact computer security within
DoD. Proposes modifying an academic program at the Naval Postgraduate
School to ameliorate DoD's computer security problems.
Chapter IV Analysis Methods describes the procedures and resources
used in this thesis.
3
Chapter V Summary of Findings summarizes the thesis research
findings and the strengths and weaknesses of the current 370 Curriculum.
Chapter VI Recommendations describes in detail seven
recommendations for improving computer security.
Chapter VII Conclusion; opinions.
Appendix A Information Systems Courses reflects the comparison of IS
courses with the (ISC)2 information security certification format.
Appendix B Computer Science Courses reflects the comparison of CS
courses with the (ISC)2 information security certification format.
Appendix C Electro-Optical and Communication Courses reflects the
comparison of EO and CM courses with the (ISC)2 information security
certification format.
List of References lists the sources of information used.
4
IL COMPUTER SECURITY AND DOD
A. WHAT IS COMPUTER SECURITY?
In the aftermath of numerous "electronic break-ins" to sensitive
government computers, the DoD has become acutely aware of its computer
security inadequacies. In light of these recent events one must ponder the
question, what exactly is computer security and what does it entail?
Computer security is far more reaching than just protecting information
systems from "electronic break-ins".
Computer security is concerned with identifyingvulnerabilities in systems and in protecting against threats tothose systems .... many computer users still don't reallyunderstand what computer security is--and why it should beimportant to them. Computer security protects your computerand everything associated with it--your building, your terminalsand printers, your cabling, and your disks and tapes. Mostimportantly, computer security protects the information you'vestored in your system. That's why computer security is oftencalled information security. [Ref. 6]
"Every computer system is vulnerable to attack". [Ref. 7] In order to
protect this valuable information, first determine where the system is
susceptible to intrusion, attack, or environmental danger. Once you have
discovered the system's vulnerabilities, appropriate preventative measures
can be taken. Typical areas of concern include:
Physical Vulnerabilities: Your buildings, your computer siteand the associated peripherals are vulnerable. One of the primaryfunctions of physical security is to restrict unauthorized access tothe computer site and provide protection from damage caused bynatural disasters. "Physical security methods include oldfashioned locks and keys, as well as more advanced technologieslike smart cards and biometric devices."[Ref. 8]
5
" Natural Disasters, such as fire, floods, earthquakes, and otherdangers due to natural forces can cause irreparable damage tocomputer equipment and even worse, a loss of valuableinformation. Although natural disasters are not preventable, stepscan be taken to minimize the severity of the damage.
" Software Vulnerabilities: Worms, viruses, trapdoors, and evensimple bugs can open the system to electronic intruders.
" Human Vulnerabilities: "The people who administer and useyour computer system represent the greatest vulnerability of all.The security of your entire system is often in the hands of asystems administrator." If that administrator is not properlytrained or is unable to safeguard valuable electronic information,the system could be exploited and subjected to electronicterrorism or vandalism. [Ref. 9]
B. DOD'S INTEREST IN COMPUTER SECURITY
1. 1989 U.S. General Accounting Office Report
DoD has become increasingly dependent upon storing its "sensitive
information" in electronic form and naturally there is a deep concern for the
integrity and privacy of this valuable information.
Network intruders--some would call themselves explorers orliberators--have found ways of using networks to dial into remotecomputers, browse through their contents, and work their wayinto other computers. They have become skilled at cracking thepassword protocols that guard computers and adept at trickingthe operating systems into giving them superuser or systemmanager privileges. They have also created worm and virusprograms that can carry out these actions unattended andreplicate themselves endlessly--electronic surrogates that canprowl the network independent of their creators. As electronicnetworking spreads around the globe, making possible newinternational interactions and breaching barriers of language andtime, so rise the risks of damage to valuable information and theanxiety over attack by intruders, worms, and viruses. [Ref. 10]
6
Representative Edward J. Markey, Chairman of the Subcommittee on
Telecommunications and Finance (House Committee on Energy and
Commerce), recognizing the devastating impact a malicious "Internet type"
worm could have on DoD computers, asked the U.S. General Accounting
Office (GAO) to conduct an intensive investigation focusing on DoD's
inherent vulnerabilities regarding computer security. [Ref. 11]
Hackers have been accessing and continue to gain access to sensitive
networked DoD computer systems by exploiting system weaknesses. One of
the most prevalent weaknesses mentioned in the 1989 GAO report was
that host computer site system managers were technically weak and
practiced poor security management techniques. The report states:
Host computers are frequently administered by systemsmanagers, typically site personnel engaged in their own research,who often serve as systems managers on a part-time basis.
A number of Internet users, as well as NCSC and DefenseCommunications Agency virus reports, stated that the technicalabilities of systems managers vary widely, with many managerspoorly equipped to deal with security issues, such as the Internetvirus. For example, according to the NCSC report, many systemsmanagers lacked the technical expertise to understand that a virusattacked their systems and had difficulty administering fixes.The report recommended that standards be established anda training program begun to upgrade systems managerexpertise. [Ref. 12]
2. 1991 U.S. General Accounting Office Report
On November 20, 1991 Jack L. Brock Jr., Director of Government
Information and Financial Management Issues (Information Management and
Technology Division) gave testimony before the members of the Senate
7
Subcommittee on the vulnerabilities of DoD computer systems penetrated
during Operation Desert Shield / Storm. Mr. Brock stated:
Hackers continue to successfully exploit security weaknessesand undermine the integrity and confidentiality of sensitivegovernment information.
Between April 1990 and May 1991, computer systems at 34DoD sites attached to the Internet were successfully penetratedby foreign hackers. The hackers exploited well-known securityweaknesses--many of which were exploited in the past by otherhacker groups. These weaknesses persist because of theinadequate attention to computer security, such as passwordmanagement, and the lack of technical expertise on the parl ofsome system administrators--persons responsible for thetechnical management of the system.
At many of the sites the hackers had access to unclassified,sensitive information on such topics as (1) military personnel--personnel performance reports, travel information and personnelreductions; (2) logistics--descriptions of the type and quantity ofequipment being moved: and (3) weapons systems developmentdata.
Although such information is unclassified, it can be highlysensitive, particularly during times of international conflict.Some DoD and government officials have expressed concern thatthe aggregation of unclassified, sensitive information couldresult in the compromise of classified information.
...system administration duties are generally part-timeduties and that administrators frequently have littlecomputer security background or training. [Ref. 13]
Both GAO reports express DoD's anxiety about system
administrators' lack of technical expertise and their inability to safeguard
electronic information.
8
3. Computer Security Climate
To obtain a feel for the "local" computer security climate, interviews
were conducted with the System Administrator/Automated Data Processing
(ADP) Managers at two central California military installations to determine
their computer security backgrounds and training. Research revealed that the
system administrators received little if any formal education in the arena of
computer security. For example, one of the ADP Manager's entire formal
training consisted of a two day computer security Course in San Francisco
[Ref. 14]. The other ADP Manager had not received any type of formal
computer security training to date [Ref. 15].
C. THE NEED FOR COMPUTER SECURITY PROFESSIONALS
It is imperative that the concepts and issues of computer security be
addressed if our goal is to protect the privacy, integrity and availability of
sensitive government information from forms of electronic vandalism and
terrorism. To accomplish this goal, attention must be focused on establishing
an education program that will provide system administrators with the
technical expertise to understand, administer, and make knowledgeable,
informed decisions with regard to computer security.
9
IlL CULTIVATING COMPUTER SECURITY IN DOD
A. SECURITY RELATED LEGISLATION
Since the late 1950s, federal agencies have become increasingly
concerned over the protection of sensitive electronic information. This
concern has spawned numerous pieces of legislation aimed at security. Two
recent pieces of legislation, the National Telecommunication and Information
Systems Security Publication 200 (NTISSP 200) and the Computer Security
Act of 1987, have had a profound impact on the delegation of computer
security practices in DoD.
1. NTISSP 200
National Telecommunication and Information SystemsSecurity Publication 200 (National Policy on Controlled AccessProtection) defined a minimum level of protection for computersystems operated by Executive branch agencies and departmentsof the U.S. Government. The policy applies to any systemaccessed by multiple users who do not all have the sameauthorization to use all of the classified or sensitive unclassifiedinformation processed or maintained by the system. NTISSP 200stated that within five years of publication (i.e., by September of1992), the systems affected by the policy must provideautomated Controlled Access Protection (CAP) for all classifiedand sensitive unclassified information at the C2 level of trustdefined in the Orange Book.' [Ref. 16]
The Orange Book is a technical publication, part of the Rainbow Series2,
which defines trusted computer system evaluation criteria for systems
requiring multiple levels of security. There are four basic divisions of trust,
1. Department of Defense Trusted Computer System Evaluation Criteia, Department of Defense Stan-dard (DOD 5200.28-STD) Library Number S225.711, December 1985.
2. A series of technical computer security books published by the National Computer Security Center,each with a different colored covering, hence the name "Rainbow Series"
10
with each division further subdivided into one or more distinct classes. Each
class is denoted with a number, where the higher numbers indicate a greater
degree of security [Ref. 17]. In increasing order of trust, from lowest to
highest, the classes are:
"* D Minimal Protection
" Cl Discretionary Security Protection
" C2 Controlled Access Protection
"B 1 Labeled Security Protection
" B2 Structured Protection
"* B3 Security Domains
"* Al Verified Design
How do you rate each of the aforementioned classes, and what are the
associated requirements to achieve this rating?
Each class is defined by a specific set of criteria that a systemmust met to be awarded a rating for that class. The criteria fallinto four general categories: security policy, accountability,assurance, and documentation. [Ref. 18] Table 1 compares theOrange Book evaluation classes, showing the specific featuresrequired for each class and, in general terms, how requirementsincrease from class to class. [Ref. 19]
11
Table 1: TRUSTED COMPUTER SYSTEM EVALUATION CRITERIACl C2 BI B2 B3 Al
Discretionary Access Control
Object Reuse
Labels
Label Integrity
Exploitation of Labeled Information
Exploitation of Multilevel Devices
Labeling Human-Readable Output
Mandatory Access Control
Subject Sensitivity LabelsDevice Labels
Identification and Authentication
Audit
Trusted Path
System Architecture
System Integrity
Security Testing
Design Specification and Verification
Covert Channel Analysis
Trusted Facility Management
Configuration Management
Trusted Recovery
Trusted Distribution
Security Features User's Guide
Trusted, Facility Manual
Test Documentation
Design Documentation
New or enhanced requirements for this class
No additional requirements for this class
m No requirements for this class
12
2. Computer Security Act of 1987
The Computer Security Act of 1987 holds each federal agency
accountable for identifying computer systems that utilize sensitive data. The
act also requires civilian, military, government employees, and others who
directly interact with systems containing sensitive information to receive
computer security training commensurate with their level of access. [Ref. 9]
Since the government has over 50,000 sensitive systems, a new stock
of questions emerge. Who will train this multitude of individuals needed to
operate these systems, to what extent will they be trained, and how will their
computer security training benefit the DoD?
B. FORMAL COMPUTER SECURITY EDUCATION: TOWARD A
CERTIFICATION FORMAT
System administrators are chronically considered the weak link in
the computer security chain. Their lack of formal and technical education in
the arena of computer security is a dangerous situation, but this situation can
be rectified.
The Naval Postgraduate School (NPS) in Monterey, California, an
institution dedicated to providing graduate level academic programs to meet
the increasing technological and professional needs of the DoD, offers a viable
solution. The Information Technology Management (370) Curriculum, an
eight quarter interdisciplinary program of study, is designed to provide
officers and federally employed civilians with a strong knowledge of
information systems, emphasizing computer and telecommunication systems.
With minor modifications and a moderate injection of computer security
concepts and issues, the Information Technology Management (370)
13
Curriculum can become a beneficial vehicle for producing more
knowledgeable and competent computer security "professionals". The
modified curriculum can greatly contribute towards combating DoD's
computer security problems.
There are individuals in the computer industry who market themselves as"security professionals", but without the sanction of any recognized certifying
group. A few certification programs lightly touch on security issues, but to
date, there is no certification program dedicated totally to the issues of
information security. [Ref. 20]
The International Information Systems Security Certification
Consortium-- or (ISC)2 for short-- was created to develop acertification program for information systems securitypractitioners. In November 1988, the Special Interest Group forComputer Security (SIG-CS) of the Data ProcessingManagement Association (DPMA) brought togetherorganizations who were interested in creating a certificationprogram for this community of specialists. The cooperatingorganizations include the Data Processing ManagementAssociation (DPMA), Information Systems Security Association(ISSA), Idaho State University, the National Security Agency(NSA), and the Computer Security Institute (CSI). Other groups--including the Canadian and U.S. Governments, the CanadianInformation Processing Society (CIPS), and the InternationalFederation for Information Processing (IFIO) have beenrepresented at meetings and have been invited to participate.Representation from other interested and qualified bodies,including IEEE and ACM, is under consideration. [Ref. 21]
In 1991 (ISC)2 proposed the first formal certification program for
computer security professionals. This certification reflects the current thought
and future expectations of distinguished experts in the computer security field.
[Ref. 22]
14
By extracting the (ISC)2 certification format and injecting these concepts
and issues into the existing 370 Curriculum, a new, enhanced curriculum will
metamorphose. In this fast changing climate of high-technology, this
curriculum will ensure the military has an ample supply of these top-level
managers and supervisors who possess a solid background in the area of
computer security.
15
IV. ANALYTICAL METHODS
The purpose of this thesis is to determine if relevant computer security
concepts and issues were being addressed in the Information Technology
Management (370) Curriculum and make recommendations to improve
course content and the Curriculum. In order to determine which concepts and
issues were considered relevant and if they were being addressed, several
methods were employed:
" Literature review (including academic and DoD publications oncomputer security).
"* Interviews with DoD ADP Managers.
" Interviews with faculty from the Computer Science,Administrative Sciences, and the Electrical and ComputerEngineering Departments.
"* Micro analysis of the 370 Curriculum from the viewpoint of
computer security, utilizing the (ISC)2 certification format.
A. LITERATURE REVIEW
Initially, a comprehensive literature review was conducted to become
familiar with the current computer security atmosphere and to form a
knowledge base for further research. The computer library located in the
Naval Postgraduate School's Ingersoll Hall, is a cornucopia of computer
information. Some of the reference material utilized to assimilate information
for the knowledge base includes;
"* Government Publications: The "Rainbow Series", FederalInformation Processing Standards Publications (FIPS PUBS)and Government Accounting Office Reports (GAO)
"* Electronic Newsgroups: alt.security, comp.risks, comp.virus
16
* Anonymous File Transfer Protocol (FTP): Several documentswere retrieved electronically from these addresses:certsei.cmu.edu, cu.nih.gov, cs.purdue.edu.
* Computer Security Books: Computers under Attack: Intruders,Worms and Viruses by Peter Denning, Security in Computing byCharles Pfleeger, Computer Security Basics by Deborah Russelland G.T. Gangemi Sr., and Computer Security Handbook byRichard Baker.
* Computer Security Professional Certification Format:International Information Systems Security CertificationConsortium (ISC) 2 is the format used to evaluate each course inthe 370 Curriculum. The result of the evaluation is reflected inAppendices A, B, and C.
Once the information from the literature review was assimilated, and a
through knowledge of computer security established. This newly gained
knowledge base, along with the (ISC)2 certification format was used as a tool
to interview NPS faculty members.
B. LOGICAL COURSE GROUPINGS
To analyze the 370 Curriculum, it was necessary to segregate the courses
into the following logical course groupings; Communications (CM),
Computer Science (CS), Electro-Optical (EO), Information Systems (IS),
Management (MN), Operations Science (OS), Mathematics (MA), and Naval
Science (NS). Research revealed the MN, OS, MA, and NS courses were
sufficiently devoid of the information applicable to computer security. Four
course groupings: IS, CS, CM and EO were selected for analysis because
they contained the bulk of the technical material in the 370 Curriculum and
relate to computer systems. Once the areas for analysis were selected, the
experts were interviewed.
17
C. INTERVIEWS WITH NPS FACULTY
Faculty members representing the Computer Science, Administrative
Science, and the Electrical and Computer Engineering departments were
individually interviewed. Each interview revolved around four main issues:
"* To what extent did the course address computer securityconcepts and issues?
"* If the concepts and issues were not addressed, how easy wouldit be to incorporate the (ISC)2 format into the course?
"* If the concepts and issues were addressed, how close did thecontent adhere to the (ISC) 2 format?
* If there were shortcomings in the amount of computer securityissues addressed, where could improvements be made?
Each emphasis area course within its respective department was reviewed
for computer security related concepts or issues. Faculty members were
encouraged to offer their opinions as to how the courses could be modified to
adhere to the (ISC)2 certification format.
D. INTERVIEWS WITH DOD ADP MANAGERS
Interviews were conducted with the System Administrator/Automated
Data Processing (ADP) Managers at two central California military
installations to determine their computer security backgrounds and training.
Interview questions focused on;
"* Personal Education: Did the individual have any previouscomputer experience, if so what type, and how much?
"* Training: What type of computer security training had theyreceived? What actions were taken to increase the staff'sawareness of computer security? What type of guidance did theyreceive (e.g. local instructions, Navy instructions, laws, etc...).
18
What were their future plans to increase computer security and
computer security awareness at their site?
E. COURSE ANALYSES
Four logical course grouping areas of the 370 Curriculum; Information
Systems, Computer Science, Communications and Electro-Optical were
analyzed. Each course in the respective logical course grouping was
scrutinized for relevant computer security issues using the (ISC)2 certification
format as a cross-reference. Each course fell into one of three categories,
either the subject was addressed, the subject was not addressed but needs
to be, or the subject was not relevant to the course.
19
V. SUMMARY OF FINDINGS
Both the 1989 and 1991 GAO reports discussed in chapter 2,express
DoD's anxiety about technically weak system administrator's inability to
protect sensitive electronic information. Both reports recommend a formal
training program be established to strenghten system administrator's
knowledge of computer security.
Interviews with local ADP managers support the GAO's findings that
system administrators receive little if any formal computer security training.
Although only a small portion of the ADP manager population was sampled,
it was evident that formal computer security training had not been a
prerequisite for the position.
Faculty interviews along with course analyses indicate only one course,
CS 4601 Computer Security, adheres closely to the (ISC)2 certification
format, and that computer security concepts and issues are sparse in other
courses of the 370 Curriculum. Of the 298 topic items identified by the (ISC)2
certification format, 165 items are addressed in CS 4601 Computer Security,
37 items are addressed in IS 4200 System Analysis and Design, 10 items are
addressed in CM 3112 Navy Telecommunications Systems, and 6 items in CS
2970 Structured Programming with Ada. Those courses that actually
addressed computer security concepts or issues are highlighted in the current
370 Curriculum matrix shown in Table 2.
20
Table 2: CURRENT INFORMATION TECHNOLOGY MANAGEMENT (370)CURRICULUM
1 stIS 2000 (3-1 ~ (') s30 41) MN 21SS5(4-0Quarter Introduction to Computer Statistical Analysis for Accounting for
Management AsMaagement Management
2 nd CS 3030 (4-0) MA 1248 (4-1) OS 3004 (S-0) MN 310S (4-0)Quarter Computer Architecture Selected Topics in Operations Research for Organization and
and Operating Systems Applied Mathematics Computer Systems ManagementManagers
3 rd14204 EO 2710 (4-2) IS 4183 (4-1) IS 3170 (4-0)Quarter 5ybA u~ Commr Systems 1: Applications of Economic Evaluation of
I~iEtAnalog Signals and Datahase Management Information Systems ISystems Systems
4 th IS 3020 (3-2) EO 2750 (4-2) IS 4185 (4-1) IS 3171 (4-0)Quarter Software Design Comm Systems II: Decision Support Economic Evaluation of
Digital Signals and Systems Information Systems 11Systems
S th IS 4300 (4-0) EO 3750 (4-0) IS 3502 (4-0) ........Quarter Software Engineering Communications Computer Networks: ...........
and Management System Analysis Wide Area ILocal Area_ _ ...........
6 th MN 4125 (4-0) NS 3252 (4-0) IS 4502 (4-0) is 0810(0)Quarter Managing Planned Joint and Maritime Telecommunications Thesis Research for
Change in Complex Strategic Planning Networks Information TechnologyOrganizations Management Studenta
7 th MN 3154 (4-0) S 6 (4) MN 3307 (4-0) is 0810 (0-0)Quarter Financial Management in fiytanI ADP Acquisition, Thesis Researchs for
the Amed Frcesinformation Techmologythe Amed orce ManaementStudessts
8 ti IS 4182 (4-0) Elective is 0810 (0-0) is 0810 (0-0)Quarter Information Systems Th'lesis Research for Thesis Research for
Management Information Technology Information TechnologyManagement Students Management Studemt
For a detailed analysis of how well each course paralleled the relevant
computer security concepts in (ISC9 certification format see the following
appendices. [Ref. 20]
"* APPENDIX A Information Systems Courses
"* APPENDIX B Computer Science Courses
"* APPENDIX C Electro-Optical and Communication Courses
21
In order to help decipher the appendices, a small sample is provided in
Table 3.
Table 3: APPENDIX LEGEND
A. Development of aSecurity Program -- I I I I I [
1. Reason for a organizational security management policy [
a. Objectives
1. Identify sensitive systems/data
2. Security plan
3. Tr•ining
EThe concept or issue is currently addressed.
*The concept or issue is not currently addressed, but needs to be.
WThe concept or issue is not relevant to the course.
22
VI. RECOMMENDATIONS
Research indicates that the current 370 Curriculum needs a moderate
injection of additional computer security topics to emulate the (ISC)2
certification format. Several recommendations for modifying the 370
Curriculum follow:
Recommendation 1: Modify the 370 Curriculum to allow students
to specialize in a particular area of interest. The curriculum would be divided
into three subspecialty areas called "Emphasis Tracks" as follows:
"* Computer Security Emphasis Track
"* Telecommunications Networks Emphasis Track
"* Information Resource Management Emphasis Track
Each "Emphasis Track" would have one or more mandatory required
courses and a variety of elective courses to choose from. The 370 Curriculum
currently provides only one elective choice for students. The flexibility of
being able to select from a variety of elective courses would allow the
individual to tailor the curriculum to their particular field of interest. To
promote this flexibility, two additional elective slots can be realized with the
elimination of MN 4125 (Managing Planned Changed in Complex
Organizations) and IS 3171 (Economic Evaluation of Informations Systems
1I). Examples of each Emphasis Track are provided below:
a. Computer Security Emphasis Track
Required Courses:
IS 3220 - Computer Center Management
IS 4xxx3 - Risk Analysis and Disaster Recovery Planning
23
Elective Courses:
CS 4602 - Advanced Computer Security
IS 3000 - Distributed Computer System
IS 3503 - Micro-Computer Networks
IS 4184 - Information Resource Management in DoN/DoD
IS 4186 - Knowledge-Based Systems and Artificial Intelligence
MN 4125 - Managing Planned Change in Complex Organizations
OS 3404 - Man-Machine Interaction
b. Telecommunications Networks Emphasis Track
Required Course:
IS 3000 - Distributed Computer System
Elective Courses:
IS 3220 - Computer Center Management
IS 3503 - Micro-Computer Networks
IS 4184 - Information Resource Management in DoN/DoD
IS 4xxx - Risk Analysis and Disaster Recovery Planning
MN 4125 - Managing Planned Change in Complex Organizations
OS 3404 - Man-Machine Interaction
c. Information Resource Management Emphasis Track
Required Courses:
IS 4184 - Information Resource Management in DoN/DoD
Elective Courses:
IS 3000 - Distributed Computer System
IS 3220 - Computer Center Management
3. IS 4xxx Risk Analysis and Disaster Recovery Planning is a course that would have to be developed.
24
IS 3503 - Micro-Computer Networks
IS 4xxx - Risk Analysis and Disaster Recovery Planning
MN 4125 - Managing Planned Change in Complex Organizations
MN 4105 - Management Policy
OS 3404 - Man-Machine Interaction
Recommendation 2: Eliminate the IS 3171 (Economic Evaluation
of Informations Systems ID, MN 3154 (Financial Management in the Armed
Forces), and MN 4125 (Managing Planned Changed in Complex
Organizations) courses from the 370 Curriculum and replace them with
emphasis track electives. Split the CS 3030 Computer Architecture and
Operating Systems course into two courses. One course would consist of
primarily computer architecture, CS 3010, and the other course would consist
primarily of operating systems, CS 3030.
The benefit of splitting the current CS 3030 Computer Architecture and
Operating Systems course into two separate course will allow the instructors
more time to present the material in greater detail as well as inject more
security related issues. The only benefit of not splitting CS 3030 is that it
would make room for a fourth Track Elective. Two curriculum matrices are
shown in Tables 4 and 5. Table 4 reflects CS 3030 being split and Table 5
reflects CS 3030 not being split.
25
Table 4: MATRIXK WITH IS 3171, MN 31549, AND MN 4125ELIMINATED AND CS 3030 SPLIT
1 At IS 2000 (3-1) CS 2970 (4-1) 0S53101 (4-1) MN 2155 (4-0)Quarter Introduction to Computer Structured Programming Statistical Analysis for Accounting for
Muaaganent with Ada Management Manaigement
2nad CS 3010 (4-0) MA 1248 (4-1) OS 3004 (5-0) MN 310S5(4-0)Quarter Computer Architecture Selected Topics in Operations Research for organization and
Applied Mathematics Computer system ManagementManagers
3 rd IS 4200 (4-0) EO 2710 (4-2) IS 4183 (4-1) IS 3170 (4-0)Quarter System Analysis and Comm Systems 1: Applications of Economic Evaluation of
Design Analog Signals and Database Management Information Systems ISystems Systems
4 th IS 3020 (3-2)) EO 2750 (4-2) IS54185 (4-1) CS 3030 (4-0)Qatr Software Design Comm Systems U: Decision Support Operating Systems
Digital signals and SystemsSystems
5 th IS4300 (4-0) E0 3750 (4-0) IS 3502(4-0) CM 3112 (4-0)Quarter Software Engineering Communications Computer Networks: Navy
and Management System Analysis Wide Areat / L0cal Area TelecommunicationsSystems
6 tb S 53252 (4-0) IS 4502 (4-0) is 0810 (0-0)Joint and Maritime Telecomminsicaaions Thesis Research for
Qurtr. .. ... ... .. .. Strategic Planning Network Information Technology. .. .. .manageme," Studeuts
7th CS 4601(40 MN 3307 (4-0) is 0810 (0-0)Quate Computer Securnty ADP Acquisition Thesis Research for
Information Tedumology-aaemn Studnt
8th~i 14 240)50810 (0-0) Is50810 (0-0)Quater InfnnaionSysemsThesis Research for Thetsi Research for
Management Information Technology Information Technology... .. management Students Management Students
26
Table 5: MATRIX WITH IS 3171, MN 3154 AND MN 4125 ELIMINATED ANDWITHOUT CS 3030 SPLIT
1 At IS 200 (3-1) CS 2970 (4-1) OS 3101 (4-1) MN 2155 (4-0)Quarter InidctiontoConiputer Strucaiied Progrmmniing Statistical Analysis for Accounting for
Management with Ad& Management Management
2 ud CS 3030 (4-0) MA 1248 (4-1) OS 3004 (5-0) MN 3105 (4-0)Quarter Computer Architecture Selected Topics in Operations Research for Organizationl and
and Operating Systems Applied Mathematics Computer Systems ManagementManagers
*3 rd IS 4200 (4-0) EO 2710 (4-2) IS 4183 (4-1) IS 3170 (4-0)Quarter Syskm Analysis and Comm Systems 1: Applications of Economic Evaluation of
Design Analog Signals and Databuse Management information Systems ISystems Systems
4 th IS 3020 (3-2)) EO 2750 (4-2) IS 4185 (4-1) MN 3307 (4-0)Quarter Software Design Comm Systems UI: Decision Support APP Acquisition
Digital Signals and SystemsSystems
5 th IS 4300 (4-0) EO 3750 (4-0) IS 3502 (4-0) CM 3112 (4-0)Quarter Software Engineering Communications Computer Networks: Navy
and Management System Analysis Wide Area / L=Wa Area TelecommunicationsSystems
6 th NS 3252 (4-0) IS 4502 (4-0) isO0S10(0-0)Quarter.........Joint and Maritime Telecommunications Thesis Research for
strategic Planning Network information TechnologyManagement Students
7 Vth 1bt ~ S4601(4-0) 1i ijIS08 10(0-0)Quarter Computer Security TesRearhfo
...... .. . . .Information TechnologyManagement Students
8 th IS 4182 (4-0) is 0310 (0-0) is 0810 (0-0)Quarter Informiation Systems Thesis Research for Thesis Research for
Management ...i.........Information Technology Information TechnologyManagement Students Management students
Recommendation 3: Establish an advanced computer security
course as an elective for those individuals desiring to gain expertise in
computer security. Academic objectives would include an understanding of:
* the fundamental models involved in multilevel security.
* how the fundamental models used in multilevel security areimplemented in the design of a secure computer system.
0the advancements and limitations of computer security
27
technology in the areas of multilevel databases, networks anddistributed systems.
"* the various roles encryption plays in the development of securenetwork protocols and remote access control.
"* the DoD requirements for trusted systems and the verification
process.
Recommendation 4: Establish a Disaster Recovery and Planning
course IS 4xxx, which would include:
"* current theoretical foundations for conducting risk analysis.
"* an introduction to automated assessment tools.
"* an introduction to current guidelines and directives.
"* analyses of case studies.
Recommendation 5: Establish a computer security laboratory,
which would allow students to apply theoretical concepts. This lab would
include:
" quarantined systems which would allow students to experimentwith viruses without infecting other computers. Students couldmonitor the life cycle of viruses along with evaluating differentanti-virus software packages.
"* computers with communication software that would allowstudents to gain experience using both private and public keyencryption protocols and permit them to conduct fundamentalpenetration testing.
" TEMPEST equipment to monitor electronic emanations fromcomputer systems, peripherals, and conductors.
"* a Honeywell Information System Secure CommunicationsProcessor (SCOMP). The SCOMP is the only system to date thathas received an A l Orange Book security rating. The SCOMPwould provide students a vital research tool to explore multilevel
28
security issues.
various biometric devices that measure human bodycharacteristics used in computer security such as: retinal patterns,fingerprints, handprints, voice patterns, keystroke patterns, andsignature dynamics. The Naval Postgraduate School'sOperations Research Department has an excellent biometricslaboratory which could be used as an annex of the computersecurity laboratory.
Recommendation 5: Provide adequate funding in order to support a
quarterly seminar program in which visiting specialists from both government
and civilian sectors could address students and faculty concerning new
technologies, products and policies.
Recommendation 6: Restructure the IS 2000 Introduction to
Computer Management course to include high level coverage of material
delineated in the (ISC)2 certification format. This would expose new students
to the importance of computer security early in the curriculum and thereby
foster a basic understanding and appreciation of concepts that will be
introduced in subsequent courses.
Recommendation 7: Use the Appendices A, B, and C as a computer
security reference to help guide faculty members in modifying their courses to
include relevant computer security topics.
29
VIL CONCLUSION
DoD has become increasingly dependent upon storing its sensitive
information in electronic form and naturally there is a deep concern for the
integrity and privacy of this valuable information. In the recent aftermath of
numerous electronic break-ins, the DoD continues to express anxiety over
technically weak system administrators' inability to protect sensitive
electronic information.
A significant step in minimizing electronic intrusions and bolstering
computer security in DoD is to educate military officers and federal civilians
in the latest technology and administrative controls available to enhance
computer security. T"js ,an be accomplished by modifying the Information
Technology Management (370) Curriculum at the Naval Postgraduate School
to adhere to the proposed recommendations.
In order to further enhance the Information Technology Management
(370) Curriculum at the Naval Postgraduate School, and strengthen the
graduate's knowledge of computer security, it is imperative that the 370
Curriculum be revised to meet the needs of DoD in this rapidly changing
technology.
30
APPENDIX A
Table 6: Information Systems Courses
1. Overview
A. Development of a Security Program --- T III I
1. Reason for a organizational security management policy
a. Objectives
1. Identify sensitive systems/data
2. Security plan "= 1 1E IIII
3. Training
b. Policies
1. Written and communicated
2. Board of directors responsibility
3. DPMA model policy [U " _..
c. Connectivity, organizational structure, and securityT-II
1. Connectivity definedIII ll l
2. Effect on organizational structure
3. Security considerations
d. Plans
1. Human resource management
2. Access control I l ll Ill
3. Datacontrol
31
Table 6: Information Systems Courses
4. Labeling
5. Contingency plan
6. Legal responsibilities
e. Responsibilities
1. Board of Directors
2. Board of Directors & senior management
3. Middle management
4. Users
B. Risk Analysis
1. Reason l7 9
2. Typical contents
3. Main purposes
C. Contingency Planning
1. Defined
2. Backup
3. Critical elements
D. Legal Issues for Managers
1. Licenses
2. Fraud/misuse
32
Table 6: Information Systems Courses
4. Copyright
5. Trade secretsU I I6. Employee agreements I I I N I T I I
E. System Validation & Verification (Accreditation)
1. Plan testing
2. Acceptance of responsibility
F. Information Systems Audit I I I I
II. Risk Management I II[ IIII1I
A. Asset Identification and Valuation
1. Processing valuation U I Il1l
2. Risk management team T7 I I
3. Classification of assets
4. Subclassification of assetsII II
a. People. skills, andprocdures I I l
b. Physical and environmental' IIU lll
c. Communications IIn IU IIII
d. Hardware
e. Software
f. Data and information
33
Table 6: Information Systems Courses
g. Goodwill
5. Determining values for assets
a. Acquired and intrinsic values
b. Purpose of assigning value to assets
c. How to measure assets values
d. Criticality and sensitivity
1. Criticality: business impact. revenue losses
embarrassment, legal problems
2. Sensitivity: privacy, trade secrets, planning
information, financial data
3. Sources MIS. users, senior management
4. Levels: military, national security, commercial
e. Asset valuation: standard accounting I Ul
f. Asset valuation: replacement value
g. Asset valuation: loss of availability
h. Asset valuation: estimating methods
6. Use of asset analysis results
a. Limitations
1. Lack of data
34
Table 6: Information Systems Courses
oThreats vulnerabilities ad exposures defined
2. Methodologies for threat assessment
a. Properties of threats
b. Properties of assets
c. Combining properties: the cost exposure matrix
3. Probability concepts
a. Definitions
b. Tables of probability values
c. Fuzzy metrics
d. Expected values
e. Worst case
f. Automated packages
4. Sources of threat information
a. Vulnerability analysis
b. Scenarios
c. Past history
d. Outside Sources
5. Calculating exposures
35
Table 6: Information Systems Courses
M. Safeguards: Security and Control Measures IT 11ll ITH
A. Overview of Safeguards II II I
1. Common sensegie I l l iil
2. Types of controls: prevention, detections reaction
a. Basic purpose of controls
b. Prevention as
c. Detection analysis
d. Containment
e. Reaction or correction
3. Design strategies T
a. CountermeasuresIII
b. Countermeasure selection --- T
c. Sensitivity analysisI1 1I' I
d. Decision analysis 1 1 Te. Goal-seeking heuristics TT IIa -F
f. Risk perception and communication - -7
4. Components of EDP security
a. Administrative and organizational controls
b. Policies
36
Table 6: Information Systems Courses
d. Physical and environmental security T N -T- i i
e. Computer operations
f. Contingency planning
5. Components of EDP security: technical
a. Communication and electronic exposures
b. Hardware
c. Encryption
d. Software
B. Organizational and Administrative Controls
1. Trade secrets, employee agreements, conflict of interest
2. Security policy
a. Intent (related to sensitivity)
b. Access to and distribution of information I II l lIIl
c. Laws
d. Regulations
e. Company policy
f. Mandatory and discretionary security - Tl l
g. Accountability: identification, authentication, audit
3. Responsibility areas, System Security Officer
37
Table 6: Information Systems Courses
a. Basi role U I l l I
b. Duties l l l l
c. Training and skills for a System Security Office
4. Employee training
a. Orientation
b. Skills
5. Telecommuting
C. Personnel Consideration
1. Human motives for criminal action [] 11 1
2. Employee selection
a. Application forms
b. Permissions for investigations
c. Security clearance and citizenship
3. Professional certificates
4. Working environment
a Vacations and job rotation
b. Employee-management relations
c. Career path planning
d. Remuneration
38
Table 6: Information Systems Courses
6. Prosecution for adverse actions U l l l l
7. Employee separation
D. Physical and Environmental Security
1. Site location and construction
a. Computer room considerations
b. Special microcomputer problems
2. Physical access
a. Access vs. security
b. Rooms, windows, doors, keys
3. Power
a. Spikes, surges. brownouts U l
b. Costs of prevention/protection equipment
4. Air-conditioning
5. Water exposures and problems
6. Fire prevention
7. Fire protection
8. Tape and media libraries; retention policies
9. Waste disposal
10. Off-site storage
39
Table 6: Information Systems Courses
11. Document libraries and controlsI l I I
E. Computer Operations
1. Organization of computer operations
a. Mainframes
b. Minicomputers
c. Microcomputers/office automation
2. Separation of duties
3. Controls at interfaces
4. Media controls
5. Backup procedures
6. People controls
F. Contingency Planning
1. Backups and procedures
a. Data i m l l HL
b. Manuals and documentation
c. Equipment
1. Air conditioning
2. Uninterruptible power supply
2. Catastrophe planning
40
Table 6: Information Systems Courses
a. Stages in adisaster l l l l
b. Planning and response teamsl llU l l
c. Testing planl llU l l
d. Communication of plan Im lm l l
3. Security and controls in off-site backup and facilities IT
4. Business and DP insurance
5. Software escrow arrangements
IV. Safeguards: Security and Control Measures, Technical
A. Hackers and reality: Perception of Risk
B. Communications and Electronic Exposures IIIII1 IIIII
1. Locus of attack I7 I1111I1I1
a. Terminals l I I I IW
b. Hosts IIIU l
c. Front-end processors
d. Gateways
e. Links~l lI
f. Switches (multiplexors, packet switching, etc.) llI l l[
g. Special problems with intelligent workstations -- T In l I' I I
2. Types of attack
a. Passive: disclosure; traffic analysis, add/remove nodes
41
Table 6: Information Systems Courses
b. Active: modification; insertion: deletion, replay 1)111T I m I H
3. Electronic
a. Incoming: interruptions: static, FRI: EMP
b. Outgoing: leakage
c. Solutions: shielding
4. Communications
a. Value-added communications
b. exposures incoming: noise and interference
c. Exposures outgoing: interception, replacement IIIIII I M
d. Solution: physical measures
e. Solutions: encryption
f. ISO OSI communications standards
5. Network design
a. Design considerations
1. Integration of countermeasures into network
design: cryptographic checksum: time stamp;
Bell/LaPadula model
2. Integration of countermeasures into protocol layers:
link level encryption: end-to-end encryption
42
Table 6: Information Systems Courses
Pb. PAssumraonce ----- 4--
1. Concept of trust
2. Degrees of trustworthiness H IF T3. Trusted network base U I
4. Testing i 1 1 1 1
5. Formal specification I IlI ll I I
6. Formal verification
C. Encryption
1. Definition (plaintext. ciphertext: encryption/decryption)
2. Public key and private key
3. Key distribution
4. Link level, end-to-end
5. Block mode. cipher block chaining, stream ciphers
(synchronous and self-synchronous)
6. DES. RSA
7. Cryptanalysis and strength of ciphers (theoretically secure,
computationally secure)
8. Advantages and disadvantages
D. Software and Operating System Controls
1. Secure operating systems
43
Table 6: Information Systems Courses
a. Hstory
b. Concepts: capabilities. reference validations
1. Secure kernels
2. Reference validations and capabilities
c. Present guidelines and standards, trusted computer base
d. Design principles fro secure systems
1. Least privilege
2. Open design
3. Fail-safe defaults
4. Economy of mechanisms
5. Naturalness (human factors)
6. Continuous protection
e. Common penetration methods and countermeasures
1. Trojan horse; virus: worm; salami: piggyback:
deception; human compromise; etc.
2. Controls on changes; audit trails: program library;
code comparison; checksums and encryption;
vaccines and antiviral agents; access control; etc.
2. Access control I
44
Table 6: Information Systems Courses
1. Subjects and objects 111111TI- N.1
2. Access privileges
3. Granting/revoking of privileges
4. Access control lists UT5. Capabilities, descriptors
6. Supervisor states, rings, domains
b. Non-discretionary access control
1. Labels on subjects, objects
2. Rules for reading, writing
3. Software Controls: Development
a. The real problem: bugs
b. Software engineering principles: layering, modularity
c. Structured methods
d. Formal specification and verification
e. Program library/librarian
f. Data dictionary as acontrol {_772 Bg. Conversion and implementation il {
4. Software controls: Maintenance l l l i l
a. Separation of duties
45
Table 6: Information Systems Courses
b. Testing controls IU IIIIl•U
c. Change control
5. Ass-rance
a. Integrity Tb. Testing
c. Specification/verification
d. Facility management
e. Disaster/contingency
f. Compliance/degree of trust
E. Database systems security II7 l
1. Overview
a. Review of basic concepts of information protection
b. Role of information protection in database systems
2. Threats V II I [
a. Direct disclosure of data
b. Modification of data/tampering with data
c. Inference
d. Aggregation Ill I I a ! I
e. Trojan horse - I 1 l'l !11
46
Table 6: Information Systems Courses
3. Policy/mechanism T IIIIiIII
a. Policy versus mechanism -7II 1IIl
b. Access controls 1 1 I1I111I
1. Access right and privileges
2. Access control policies
3. Granularity
4. Labels
5. Access control mechanisms
c. Inference controls
d. Integrity controlsI I I I I I
1. Integrity policy
2. Integrity mechanisms ]Il
e. Accountability controls
1. Identification and authentication
2. Audit
4. Design issues
a. Protection Approaches
I. Trusted kernel
2. Trusted filter
47
Table 6: Information Systems Courses
M K I N~ ~~~ ~~ E li & W O M R 11q~" ; ýI "
3. Encryption
b. Performance
c. Storage
d. Access control vs. integrity
e. Assurance
V. Legal Environment and Professionalism
A. Law and legislation T
l. The underlying problem
a. Theft, copying software, privacy
b. Fraud
c. Physical abuse
d. Mfisuse of information
e. Sabotage
2. Laws as tools for computer security
a. Privacy laws and legislation
b. Intellectual property laws
1. Copyright law
2. Trade secret law
3. Patent law I I I I
48
Table 6: Information Systems Courses
c. Federal laws (esp. Computer Security Act 1987) 1 1lUlii l Tl
d. State statutes I L LL
e. DPMA Model Computer Crime Bill - II I U Illl
f. Computer crime legislation in other countries I I I I I ll
3. Legislation as legal options to control computer crime
a. License agreements (consumer license agreements) I
b. permanent license agreements I III-la llll
c. Intellectual property rights
d. Employee non-disclosure considerations
e. Contracts
1. Software development contracts
2. Legal aspects of software purchasing
3. Leasing contracts
f. Warranties for software and hardware
4. Control of strategic materials
5. Fraud and crime prevention and detection
6. Investigation; evidentiary trial - m I N I T
B. Ethics and professionalism
1. Ethical decision-making
49
Table 6: Information Systems Courses
2. Professional societies T 11l111
a. British Computer Society 1 7I LU II
b. North America: DPMA and ICCP
c. Canada: CIPS and DPMA
1. CIPS
2. DPMA Canada
d. Computer Professionals for Social Responsibility
e. EDP Auditors Foundation
3. National Computer Security Center
4. National Bureau of Standards
5. Certificate in Data Processing(CPC): Certified Information
Systems Auditor (CISA)
VI. CICA Computer Control Guidelines
A. Accounting and auditing
1. Computer Control Guidelines
a. Responsibility for Control
b. Information Systems Development and Acquisition
c. Information Systems Processing
d. Segregation of Incompatible Functions and Controls
50
Table 6: Information Systems Courses
a. Security review objectives II ll l
b. Specific security controlsIII l l l
c. Security review process l lll l
d. Evidence accumulation
e. Evaluation of test results 0 lll;; llll
e. Communication of control weaknesses
5'
APPENDIX BTable 7: Computer Science Courses
A. Development of a Security Program TTT
1. Reason for a organizational security management policy
a. Objectives Ill
1. Identify sensitive systems/data
2. Security plan
3. Training
b. Policies Ill1. Written and communicated I 1 1
2. Board of directors responsibility ] ]
3. DPMA model policy
c. Connectivity, organizational structure, and security
1. Connectivity defined
2. Effect on organizational structure
3. Security considerations
d. Plans III
1. Human resource management
2. Access control
3. Data control
52
Table 7: Computer Science Courses
4. Labeling
5. Contingency plan
6. Legal responsibilities
e. Respo~nsihilities T
I. Board ot Directors
2. Board of Directors & senior management I
3. Middle mnanagement III4. Users 7 it
B. Risk Analysis III
I. Reson
2. Tvpic.a contents
3. Main purposes
C. Contingency Planning - ]
1. Defined
2. Backup
3. Critical elements
D. Legtl Issues for Managers
I. Licenses
2. Fraud/misuse
53
Table 7: Computer Science Courses
3. Privacy M
4. Copyright
5. Trade secrets I [
6. Employee agreements I I
E. System Validation & Verification (Accreditation) Ill
1. Plan testing II IM
2. Acceptance of responsibility
F. Information Systems Audit T7
U. Risk Management
A. Asset Identification and Valuation
1. Processing valuation
2. Risk management team
3. Classification of assets
4. Subclassification of assets
a. People, skills, and procedures
h. Physical and environmental I Alt
c. Communications
d. HardwareI A
e. Software
f. Data and information
54
Table 7: Computer Science Courses
g. Goodwill
5. Determining values •or ••ssets T
a. Acquired and intrinsic vdues
h. Purpose of assigning value to assets
c. How to measure assets values
d. Criticality and sensitivity I
1. Criticality: business impact. revenue losses
embarwassmnent, legal problems T
2. Sensitivity: privacy. trade secrets. planning -
information. financial data
3. Sources MIS. users, senior management
4. Levels: military, national security, commercial
e. Asset valuation: standard accounting
f. Asset valuation: replacement value
g. Asset valuation: loss of availability
h. Asset valuation: estimating methods
6. Use of asset analysis results
a. Limitations
1. Lack of data
55
Table 7: Computer Science Courses
2. Interpretation
B. Threat and Exposure Assessment - I
1. Threats. vulnerabilities. and exposures defined
2. Methodologies for threat assessment
a. Properties of threats
b. Properties of assets
c. Combining properties: the cost exposure matrix
3. Probability concepts
a. Definitions
b. Tables of probability values
c. Fuzzy metrics I J N
d. Expected values
e. Worst case
f. Automated packages
4. Sources of threat information
a. Vulnerability analysis
b. Scenarios
c. Past history
d. Outside Sources
5. Calculating exposures
56
Table 7: Computer Science Courses
[II. Safeguards: Security and Control Measures
A. Overview of Safeguards _ T
1. Common sense 1
2. Types of controls: prevention. detection, reaction
a. Basic purpose of controls I
h. Prevention 0
c. Detection
d. Containment
e. Reaction or correction
3. Design strategies
a. Countermeasures
b. Countermeasure selection
c. Sensitivity analysis 7 7
d. Decision analysis
e. Goal-seeking heuristics _ •
f. Risk perception and communication
4. Components of EDP security _ I
a. Administrative and organizational controls
b. Policies
57
Table 7: Computer Science Courses
c. Personnel
d. Physical and environmental security [ [
e. Computer operations 7 1 1
f. Contingency planning III5. Components of EDP security: technical
a. Communication and electronic exposures
b. Hardware
c. Encryption
d. Software
B. Organizational and Administrative Controls
1. Trade secrets, employee agreements, conflict of interest
2. Security policy
a. Intent (related to sensitivity)
b. Access to and distribution of information
c. Laws
d. Regulations
e. Company policy T I1f. Mandatory and discretionary security I -
g. Accountability: identification, authentication, audit
3. Responsibility areas, System Security Officer
58
Table 7: Computer Science Courses
a. Basic role I I Ib. Duties I I I
c. Training and skills for .a System Security Office -__LL4. Employee training [[
a. Orientation
b. Skills
5. Telecommuting -__T
C. Personnel Consideration
i. Human motives for criminal action
2. Employee selection I I I
a. Application torms 7 _T
b. Permissions for investigations
c. Security clearance and citizenship
3. Professional certificates I 1 1
4. Working environment - [
a. Vacations and job rotation
b. Employee-management relations [[
c. Career path planning I
d. Remuneration
59
Table 7: Computer Science Courses
6. Prosecution for adverse actions I 1 1
7. Employee separation TTI
D. Physical and Environmental Security I I I
I. Site location and construction T II
a. Computer room considerations I I
b. Special microcomputer problems III
2 Physical access
a. Access vs. security .... J
b. Rooms, windows, doors, keys
3. Power
a. Spikes. surges, brownouts T
b. Costs of prevention/protection equipment
4. Air-conditioning
5. Water exposures and problems
6. Fire prevention
7. Fre protection
8. Tape and media libraries; retention policies
9. Waste disposal
10. Off-site storage
60
Table 7: Computer Science Courses
11. Document libraries •nd controls I L
E. Computer Operations I [I
I. Orgamization of computer operations I I I
a. Mainfranes
h. Minicomputers-
c. Microcomputers/office automation T Tl
2. Separation of duties I1I3. Controls at interfaces -F
4. Media controlsI11
5. Backup procedures II IR
6. People controls, II
F. Contingency Planning III
1. Backups and procedures II
a. Datat
h. Manulds and documentation
c. Equipment III
1. Air conditioning I11
2. Uninterruptible power supply T
2. Catastrophe planning
61
Table 7: Computer Science Courses
a. Stages in a disaster
b. Planning and response teams
c. Testing plan
d. Communication of plan
3. Security and controls in off-site backup and facilities
4. Business and DP insurance
5. Software escrow arrangements T
IV. Safeguards: Security and Control Measures, Technical
A. Hackers and reality: Perception of Risk
B. Communications and Electronic Exposures
1. Locus of attack III
a. Terminals
b. Hosts TTFc. Front-end processors II
d. Gateways T ll
e. Links I
f. Switches (multiplexors, packet switching, etc.) T
g. Special problems with intelligent workstations I 1 1
2. Types of attack T
a. Passive: disclosure: traffic analysis: add/remove nodes
62
Table 7: Computer Science Courses
h. Active: modification: insertion: deletion: replay
3. Electronic I I I
a. Incoming: interruptions: static: FRI: EMP I
h. Outgoing: leakage I
c. Solutions: shielding
4. CommunicationsI Ia.Value-added communicationsI I
b. exposures incoming: noise and interference [ I
c. Exposures outgoing: interception, replacement -7 11,
d. Solution: physical measures IIIe. Solutions: encryption III
f. ISO OSI communications standards
5. Network design
a. Design considerations III
1. Integration of countermeasures into network
design: cryptographic checksum: time stamp;
Bell/LaPadula model
2. Integration of countermeasures into protocol layers:
link level encryption: end-to-end encryption
63
Table 7: Computer Science Courses
b. Assuranck:
1. Concept of trust TTF2. Degrees of trustworthiness III
3. Trusted network base II
4. Testing•I
5. Formal specification
6. Formal verification
C. Encrypti, III
1. Definition kplaintext, ciphertext: encryption/decryption)
2. Public key and private key I I V
3. Key distribution
4. Link level, end-to-end
5. Block mode. cipher block chaining, stream ciphers
(synchronous and self-synchronous)
6. DES.RSA
7. Cryptanalysis and strength of ciphers (theoretically secure
computationallv secure)
X. Advantages and disadvantages
D. Software and Operating System Controls
1. Secure operating systems T II
64
Table 7: Computer Science Courses
a. History
b. Concepts: capabilities. reference validations [
1. Secure kernels
2. Reference validations and capabilities
c. Present guidelines and standards, trusted computer base
d. Design principles fro secure systems _TT
1. Least privilege
2. Open design
3. Fail-safe defaults
4. Economy of mechanisms
5. Naturalness (human factors)
6. Continuous protection
e. Common penetration methods and countermeasures III
1. Trojan horse; virus: worm: salami: piggyback: M E
deception; human compromise: etc. III
2. Controls on changes: audit trails: program library;
code comparison: checksums and encryption:.
vaccines and antiviral agents: access control: etc.
2. Access control III
65
Table 7: Computer Science Courses
a. Discretionary access control
1. Subjects and objects
2. Access privileges
3. Granting/revoking of privileges
4. Access control lists lll
5. Capabilities. descriptors
6. Supervisor states, rings, domains T WO.,b. Non -discretion ary access control I
1. Labels on subjects. objects
2. Rules for reading, writing
3. Software Controls: Development
a. The real problem: bugs
b. Software engineering principles: layering, modularity
c. Structured methods
d. Formal specification and verification
e. Program library/librarian
f. Data dictionary as a control
g. Conversion and implementation
4. Software controls: Maintenance
a. Separation of duties
66
Table 7: Computer Science Courses
b. Testing controls
c. Change control A F
5. Assurance I
a. Integrity /
h. Testing I
c. Specification/verification elVT•
d. Facility management III
e. Disaster/contingency
f. Compliance/degree of trustI I
E. Database systems security III
1. Overview
a. Review of basic concepts of information protection [
b. Role of information protection in database systems
2. Threats I
a. Direct disclosure of data I•
b. Modification of data/tampering with data
c. Inference
d. Aggregation
e. Trojan horse
67
Table 7: Computer Science Courses
3. Policy/mechanism
a. Policy versus mechanism
b. Access controls
1. Access right and privileges
2. Access control policies
3. Granularity
4. Labels I 1 1
5. Access control mechanisms Tc. Inference controls
d. Integrity controls TI1. Integrity policy
2. Integrity mechanisms [ i
e. Accountability controls
1. Identification and authentication TT
2. Audit
4. Design issues III
a. Protection Approaches
1. Trusted kernel
2. Trusted filter
68
Table 7: Computer Science Courses
3. Encryption I
b. Performance I
c. Storage III
d. Access control vs. integrity Ii
e. Assurance
V. Legal Environment and Professionalism
A. Law and legislation
1. The underlying problem
a. Theft, copying software, privacy
b. Fraud
c. Physical abuse
d. Misuse of information
e. Sabotage
2. Laws as tools for computer security
a. Privacy laws and legislation
b. Intellectual property laws
1. Copyright law
2. Trade secret law
3. Patent law II M
69
Table 7: Computer Science Courses
4. Trademark law
c. Federal laws (esp. Computer Security Act 1987) T IR
d. State statutes III
e. DPMA Model Computer Crime Bill
f. Computer crime legislation in other countries [
3. Legislation as legal options to control computer crime
a. License agreements (consumer license agreements)
b. permanent license agreements
c. Intellectual property rights
d. Employee non-disclosure considerations 1 1 1
e. Contracts
I. Software development contracts
2. Legal aspects of software purchasing T
3. Leasing contracts Ill
f. Warranties for software and hardware
4. Control of strategic materials Ill5. Fraud . -'me prevention and detection 7 16. lnvestigauon: evidentiary trial [
B. Ethics and professionalism 11
I. Ethical dccision-making
70
Table 7: Computer Science Courses
2. Professional societies T
a. British Computer Society
b. North America: DPMA and ICCP
c. Canada. CIPS and DPMA
1. CIPS
2. DPMA Canada
d. Computer Professionals for Social Responsibility
e. EDP Auditors Foundation
3. National Computer Security Center
4. National Bureau of Standards
5. Certificate in Data Processing(CPC): Certified Information I I
Systems Auditor(CISA)
VI. CICA Computer Control Guidelines .L _
A. Accounting and auditing
1. Computer Control Guidelines
a. Responsibility for Control
b. Information Systems Development and Acquisition T I
c. Information Systems Processing
d. Segregation of Incompatible Functions and Controls -7 T
71
Table 7: Computer Science Courses
Me. Apoplication ControlsM E
2. Information systems audit
a. Sec urity review objectives
b. Specific security controls
c. Security review process
d. Evidence accumulation
e. Evaluation of test results
f. Communication of control weaknesses 777
72
APPENDIX C
Table 8: Electro-Optical and Communication Courses
I. Overview
A. Development of a Security Program
1. Reason for a organizational security management policy
a. Objectives
1. Identify sensitive systems/data
2. Security plan
3. Training
b. Policies
1. Written and communicated
2. Board of directors responsibility
3. DPMA model policy I I
c. Connectivity, organizational structure, and security
1. Connectivity defined
2. Effect on organizational structure
3. Security considerations
d. Plans
1. Human resource management I I I
2. Access control III
3. Data control
73
Table 8: Electro-Optical and Communication Courses
4. Labeling
5. Contingency plan
6. Legal responsibilities LL
e. Responsibilities [ T
1. Board of Directors
2. Board of Directors & senior management T I
3. Middle management
4. Users TT
B. Risk Analysis
1. Reason
2. Typical contents
3. Main purposes
C. Contingency Planning
i. Defined I
2. Backup
3. Critical elements
D. Legal Issues for Managers
I. Licenses
2. Fraud/misuse Ill
74
Table 8: Electro-Optical and Communication Courses
3. Privacy
4. Copyright
5. Trade secrets
6. Employee agreements
E. System Validation & Verification (Accreditation)
1. Plan testing III
2. Acceptance of responsibility
F. Information Systems Audit [ [
II. Risk Management
A. Asset Identification and Valuation
I. Processing valuation
2. Risk management team I I [
3. Classification of assets
4. Subclassification of assets
a. People. skills, and procedures
b. Physical and environmental
c. Communications
d. Hardware III
e. Software
f. Data and information
75
Table 8: Electro-Optical and Communication Courses
g. Goodwill TI5. Determining values forassets [ [
a. Acquired and intrinsic values
b. Purpose of assiening value to assets j Y -
c. 1ow to measure assets values
d. Criticality and sensitivity II
I. Criticality: business impact, revenue losses
emb.u .sment, legal problems I I
2. Sensitivity: privacy, trade secrets, planning
information. financial data [
3. Sources MIS, users, senior management
4. Levels: military, national security, commercial [
e. Asset valuation: standard accounting
f. Asset valu; ,placement value
g. Asset valuation: loss of availability
h. Asset valuation: estimating methods [ [
6. Use of asset analysis results
a. Limitations III
I. Lack of data
76
Table 8: Electro-Optical and Communication Courses
2. Interpretation
B. Threat and Exposure Assessment
I. Threats. vulnerabilities. and exposures defined
2. Methodologies for threat assessment
a. Properties of threats T177
b. Properties of assets
c. Combining properties: the cost exposure matrix TT
3. Probability concepts
a. Definitions Tb. Tables of probability values
c. Fuzzy metrics III
d. Expected values
e. Worst case II
f. Automated packages
4. Sources of threat information
a. Vulnerability analysis
b. Scenarios
c. Past history
d. Outside Sources
5. Calculating exposures
77
Table 8: Electro-Optical and Communication Courses
III. Safeguards: Security and Control Measures
A. Overview of Safeguards
1. Common sense
2. Types of controls: prevention, detection, reaction F T
a. Basic purpose of controls
b. Prevention
c. Detection
d. " .unment A Ie. Reaction or correction
3. Design strategies
a. Countermeasures
b. Countek measure selection E l
c. Sensitivity analysis
d. Decision analysis
e. Goal-seeking heuristics
f. Risk perception and communication
4. Components of EDP security
a. Administrative and organizational controls F
b. Policies
79
Table 8: Electro-Optical and Communication Courses
c. Personnel
d. Physical and environmental security
e. Computer operations
f. Contingency planning
5. Components of EDP security: technical
a. Communication and electronic exposures
b. Hardware
c. Encrytion H
d. Software
B. Organizational and Administrative Controls [[
1. Trade secrets, employee agreements. conflict of interest ] ]
2. Security policy
a. Intent (related to sensitivity)
b. Access to and distribution of information
c. Laws
d. Regulations
e. Company policy
f. Mandatory and discretionary security
g. Accountability: identification. authentication. audit I73. Responsibility areas. System Security Officer
79
Table 8: Electro-Optical and Communication Courses
a. Basic role III
b. Duties
c. Training and skills for a System Security Office
4. Employee training
a. Orientation
b. Skills IFI
5. Telecommuting
C. Personnel Consideration
1. Human motives for criminal action
2. Employee selection
a. Application forms
b. Permissions for investigations
c. Security clearance and citizenship
3. Professional certificates [ ]
4. Working environment
a. Vacations and job rotation [ [
h. Employee-management relations
c. Career path planning
d. Remuneration
80
Table 8: Electro-Optical and Communication Courses
5. Access rights and privileges
6. Prosecution for adverse actions ]
7. Employee separation III
D. Physical and Environmental Security
1. Site location and construction
a. Computer room considerations
b. Special microcomputer problems III
2. Physical access
a. Access vs. security I
b. Rooms. windows, doors, keys
3. Power III
a. Spikes, surges, brownouts
b. Costs of prevention/protection equipment I I I
4. Air-conditioning
5. Water exposures and problems [ ]
6. Fire prevention III
7. Fire protection
8. Tape and media libraries: retention policies I I I
9. Waste disposal
10. Off-site storage
91
Table 8: Electro-Optical and Communication Courses
11. Document libraries and controls ][
E. Computer Operations
I. Organization of computer operations
a. Mainframes III
b. Minicomputers
c. Microcomputers/office automation
2. Separation of duties
3. Controls at interfaces
4. Media controls
5. Backup procedures
6. People controls
F. Contingency Planning
I. Backups and procedures T
a. Data
b. Manuals and documentation
c. Equipment
1. Air conditioning
2. Uninterruptible power supply
2. Catastrophe planning
82
Table 8: Electro-Optical and Communication Courses
a. Stages in a disaster
b. Planning and response teams I
c. Testing plan IT
d. Communication of plan I 1
3. Security and controls in off-site backup and facilities I [
4. Business and DP insurnce
5. Software escrow arrangements III
IV. Safeguards: Security and Control Measures, Technical
A. Hackers and reality: Perception of Risk IllB. Communications and Electronic Exposures
1. Locus of attack
a. Terminals
b. Hosts
c. Front-end processors 1
d. Gatf ways *1
e. Links
f. Switches (multiplexors. packet switching, etc.)
g. Special problems with intelligent workstations
2. Types of attack
a. Passive: disclosure: traffic analysis: add/remove nodes
83
Table 8: Electro-Optical and Communication Courses
b. Active: modification; insertion: deletion: replay
3. Electronic
a. Incoming: interruptions: static: FRI: EMP
b. Outgoing: leakage
c. Solutions: shielding
4. Communications
a. Value-added communications
b. exposures incoming: noise and interference
c. Exposures outgoing: interception, replacement U T
d. Solution: physical measures
e. Solutions: encryption
f. ISO OSI communications standards
5. Network design
a. Desien considerations I
1. Integrtion of countermeasursinto network II
design: cryptographic checksum: time stamp:
Bell/LaPadula model
2. 1 of countermeasures into protocol layers:
link level encryption: end-to-end encryption
84
Table 8: Electro-Optical and Communication Courses
b. Assurance
1. Concept of trust
2. Degrees of trustworthiness [ [
3. Trusted network base
4. Testing
5. Formal specification
6. Formal verification
C. Encryption III
1. Definition (plaintext, ciphertext: encryption/decryption)
2. Public key and private key
3. Key distribution
4. Link level, end-to-end
5. Block mode, cipher block chaining, stream ciphers
(synchronous and self-synchronous)
6. DES. RSA El
7. Cryptanalysis and strength of cipher (theoretically secure
computationally secure)
8. Advantages and disadvantages
D. Software and Operating System Controls
1. Secure operating systems
85
Table 8: Electro-Optical and Communication Courses
a. History
b. Concepts: capabilities, reference validations
1. Secure kernels
2. Reference vdidations and capabilities
c. Present guidelines and standards, trusted computer base
d. Design principles fro secure systems F
I. Least privilege
2. Open design
3. Fail-safe defaults
4. Economy of mechanisms
5. Naturalness (human factors)
6. Continuous protection
e. Common penetration methods and countermeasures
1. Trojan horse; virus: worm: salami; piggyback;
deception: human compromise, etc.
2. Controls on changes; audit trails: program library:
code comparison: checksums and encryption: FTTvaccines and antiviral agents, access control; etc.
2. Access control
86
Table 8: Electro-Optical and Communication Courses
a. Discretionary access control
1. Subjects and objects T F I
2. Access privileges
3. Granting/revoking of privileges
4. Access control lists
5. Capabilities. descriptors
6. Supervisor states, rings. domains
b. Non-discretionary access control
1. Labels on subjects. objects
2. Rules for reading, writing
3. Software Controls: Development
a. The real problem: bugs I
b. Software engineering principles: layering. modularity
c. Structured methods
d. Formal specification and verification [[
e. Program library/librarianI I
f. Data dictionary as a control
g. Conversion and implementation
4. Software controls: Maintenance
a. Separation of duties I77
87
Table 8: Electro-Optical and Communication Courses
b. Testing controls
c. Chance control
5. Assurance
a. Integrity
b. Testing
c. Specification/verification ili
d. Facility man-trement III
e. Disaster/contingency III
f. Compliance/degree of trust I I
E. Database systems security ]
1. Overview III
a. Review of basic concepts of information protection I I _
b. Role of information protection in database systems
2. Threats FTa. Direct disclosure of data
b. Modification of data/tampering with data
c. Inference
d. Aggregation
e. Trojan horse
88
Table 8: Electro-Optical and Communication Courses
f. Coven disclosure of data
3. Policy/mechanism -ll
a. Policy versus mechanism III
b. Access controls
1. Access right and privileges I I
2. Access control policies I
3. Granulafity I !
4. Labels
5. Access control mechanisms III
c. Inference controls
d. Integrity controls III
I. Integrity policy III2. Integrity mechanisms III
e. Accountabiity controls
1. Identification and authentication
2. Audit
4. Design issues Illa. Protection Approaches
1. Trusted kernel Ill
2. Trusted filter -]T ]
89
Table 8: Electro-Optical and Communication Courses
3. Encryption TT F
h. Performance
c. Storage
d. Access control vs. integrity [ [
e. Assurance
V. Legal Environment and Professionalism I [ I
A. Law and legislation II
1. The underlying problem
a. Theft. copying software. privacy
h. Fraud
c. Physical abuse
d. Misuse of information
e. Sabotage
2. Laws as tools for computer security - I
a. Privacy laws and legislation
b. Intellectual property laws 7
1. Copyright law
2. Trade secret law
3. Patent law
90
Table 8: Electro-Optical and Communication Courses
4. Trademark law
c. Federal laws (esp. Computer Security Act 1987)
d. State statutes
e. DPMA Model Computer Crime Bill
f. Computer crime legislation in other countries
3. Legislation as legal options to control computer crime
a. License agreements (consumer license agreements)
b. permanent license agreements
c. Intellectual property rights
d. Employee non-disclosure considerations
e. Contracts
1. Software development contracts
2. Legal aspects of software purchasing
3. Leasing contractsII
f. Warranties for software and hardware II
4. Control of strategic materials ] I ]
5. Fraud and crime prevention and detection jfj
6. Investigation: evidentiary trial
B. Ethics and professionalism
1. Ethical decision-making
91
Table 8: Electro-Optical and Communication Courses
2. Professional societies
a. British Computer Society I I
b. North America: DPMA and ICCP
c. Canada CIPS and DPMA T
I. CIPS
2. DPMA Canada III
d. Computer Professionals for Social Responsibility
e. EDP Auditors Foundation III
3. National Computer Security Center
4. National Bureau of Standards
5. Certificate in Data Processing(CPC): Certified Information
Systems Auditor(CISA)
VI. CICA Computer Control Guidelines
A. Accounting and auditing 7 ll1. Computer Control Guidelines
a. Responsibility for Control
b. Information Systems Development and Acquisition
c. Information Systems Processing
d. Segregation of Incompatible Functions and Controls I I
92
Table 8: Electro-Optical and Communication Courses
e. Application Controls
2. Information systems audit
a. Security review objectives
b. Specific security controls
c. Security review process III
d. Evidence accumulation
e. Evaluation of test results T
f. Communication of control weaknesses
93
LIST OF REFERENCES
[ Ref. 1] Stoll, C. The Cuckoo's Egg, Doubleday, 1989.
[ Ref. 2] Computer Science Department, Purdue University, Technical
Report Number CSD-TR-823, The Internet Worm Program:
An Analysis, by E. H. Spafford, pp. 1-2, 1988.
[ Ref. 3] U.S. General Accounting Office Report, GAO / T-IMTEC-
92-5, Hackers Penetrate DoD Computer Systems, by J. L.
Brock, pp. 2-3,1991.
[Ref. 4] Baker, Richard H., Computer Security Handbook, 2nd
Edition, pp. xvii-xviii, TAB Professional and Reference
Books, 1991.
[ Ref. 5] Denning, Peter J., ed., Computers Under Attack: Intruders,
Worms, and Viruses, p. xiv, ACM Press/Addison-Weseley,
1990.
[ Ref. 6] Russell, D., and Gangemi Sr., G. T., Computer Security
Basics, pp. 8-11, O'Reilly and Associates, Inc., 1991.
[ Ref. 7] Ibid.
[Ref. 8] Ibid., 17.
[Ref. 9] Ibid., 13.
[Ref. 10] Denning, iii.
[Ref. 11] Ibid., 456.
[Ref. 12] Ibid., 459-460.
[Ref. 13 ] Brock, 5.
94
[Ref. 14 Interview between J. Zucker, Lieutenant Commander, USN,
Moffett Naval Air Station, Mountain View, CA, and the
author, 25 November, 1991.
[Ref. 15 Interview between D. Hutton, ADP Manager, Naval
Postgraduate School, Monterey, CA, and the author, 15
November, 1991.
[Ref. 16] Russell, 283.
[Ref. 17] Ibid., 104.
[Ref. 18] Ibid.
[Ref. 19] Ibid., 112.
[Ref. 20] Fites, P.E., "Professional Certification for Information
Systems Security Practitioners", Computer Security Journal,
v. V, n. 2, pp. 75-88., Computer Security Institute, 1990.
[Ref. 21] Ibid., 76.
[Ref. 22] Ibid., 77.
95
INITIAL DISTRIBUTION LIST
Defense Technical Information Center 2Cameron StationAlexandria, VA 22304-6145
Dudley Knox Library 2Code 52Naval Postgraduate SchoolMonterey, CA 93943-5002
Chairman, Code 37 2Administrative Sciences DepartmentNaval Postgraduate SchoolMonterey, CA 93943
Administrative Sciences Department 1Code AS/BdNaval Postgraduate SchoolMonterey, CA 93943
Computer Science DepartmentCode CS/SpNaval Postgraduate SchoolMonterey, CA 93943
CommanderNaval Computer and Telecommunications Command4401 Massachusetts Ave., N.W.Washington, D.C. 20394-5000
Director of Space and C4 System Requirements N6(OP 094) 1Office of the Chief of Naval OperationsWashington, D.C. 20370-5000
96
CDR Debbie CampbellNational Computer Security Center NSA / C81 /APSXI9800 Savage Rd.,Ft. Meade, MD 20755-6000
Naval Information Systems Management CenterBldg. 166,Washington, D.C. 20374-5070
SPAWARCode 2241Crystal City 5CPK, 700Washington, D.C. 20363-5100
97